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In the Claims; 

This listing of claims will replace all prior versions arid listings of claims in the 
application. 

Amendments to the Claims: 

1 . (Currently Amended) A cryptographic key server suitable for providing 
cryptographic services to remote devices coupled to said cryptographic key server via a network, 
said cryptographic key server comprising: 

a secure network interface engine executing: on said cryptographic key server, said secure 
network interface engine operable: 

to establish a seciu*e network communication channel Avith at Ife^t one remote 

device; 

to unriiarshal secured eryptograpWc seiViee.requests received from said at least 
one remote device; and 

to marshal and transmit secure cryptographic service responses to said at least one 
remote device; and 

a cryptographic service engine executing on said cryptographic key server, said 
cryptographic service engine being in bi-directional communication with said secure network 
interface engine, said cryptographic service engine opierable to provide cryptographic services 
requested by said at least one remote device via said secure network interface engin e: said 
cryptographic service engine also being in bi-directional communication with a secure key 
provider providing access for the cryptographic service engine to at least one cryptographic key > 
and preventing access by said at least one remote device to the at least one cryptographic key , 

wherein said cryptographic service requests comprise input data to be transformed; at 
least one unique identifier for identifying the at least one cryptographic key for performing the 
transformation; and instructions for how the cryptographic service engine should. transform the 
data. 

2. (Original) The cryptographic key server as recited in Claim 1 , wherein said at 
least one device is an application server. 
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3; (Original) The cryptographic key server as recited in Claim 1 , wherein said 
secure network interface engine iis airartged such that said sect^^^ cominiinication 
channel is established according to a Secure Socket Layer (SSL) protocol. 

4. (Origuial) The cryptographic key server as recited in Claim 1 wherein said 
secure network interface engine is arranged such that: said secure network communication 
chaimel is established according to a Transport Layer Sectmty CrLS);prbtoc6l. 

5. (Original) The cryptographic key server as recited in Claim 1 ^ wherein said 
secure network interface engine supports muhiple conmiuhicatiohs protocdls including a Secure 
Socket Layer (SSL) protocol and a Transport Layer Security (TLS) protocol,, said secure network 
interface engine being responsive to said at least one device to establish said secufe.network 
communication channel according to a protocol selected by said at least one device. 

6. (Original) The cryptographic key server as recited in Claim 1 , wherein siaid 
cryptographic service engine and $aid secure network interface engine are cpmponents> of a 
single process executing on said cryptographic key server. 

7. (Original) The cryptographic key server as recited in Claim 1,. wherein said 
cryptographic service engine is operable to perform encryption and decryption functions. 

8. (Currently Amended) The cryptographic key server as recited in Claim 7, 
wherein said encryption and decryption functions comprise at least one of : 

symmetric block ciphers; 

generic cipher modes; 

stream cipher modes; 

public-key cryptography; 

padding schemes for public-key systems; 

key agreement schemes; 
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elliptic curve cryptography; 

one-way hash functions; 

message authentication codes; 

cipher constructions based on hash functions; 

pseudo random number generators; password baised key dMvatiori functions; 
Shamir's secret sharing scheme and Rabin's infonnation dispersal algorithm (IDA); 
DEFLATTi (RFC 1951) compression/decompression Avithgz^^^ (RFC 1952) and zlib 
(RFC 1 950) format support- 
fast multi-precision integer (bignum) and polynomial pperaiions; 
finite field arithmetic, including GF(p) and GF{2"); arid 
prime number generation and verification. 

9. (Currently Amended) The cryptographic key server as recited in Claim 7, 
wherein said encryption and decryption functions comprise at least one of : 

DBS, 3DES, AES, RSA, DSA,.ECC, RC6, MARS, Twofish, Serpent, CAST-256, DESX, 
RC2, RC5, Blowfish, Diamond2, TEA, SAFER, 3-WAY, Gost, SHARK, CAST- 128, Square, 
Shipjack, ECB, CBC, CTS, CFB, OFB, counter mode(CTR), Panama, ARC4, SEAL, WAKE, 
Wake-OFB, Blumblumshub, ElGamalj Nyberg-Rueppel (NR),- Rabin, Rabin- Willianis (RW), 
LUC, LUCELG, DLIES (variants of DHAES), ESIGN paddihg schemes for public-key systems: 
PKCS#1 v2.0, OAEP, PSSR, lEE P1363 EMSA2, DifRe-Heltaan (DH), Unified Diffie-Hellman 
(DH2), Mehezes-Qu-Vanstone (MQV), LUCDIF, XTR-DH, ECDSA, EGNR, ECIES, ECDH, 
ECMQV, SHAl, MD2, MD4, MD5, HAVAL, RIPEMD-160, Tiger, SHA-2 (SHA-256, SHA- 
384, and SHA-512), Panama, MD5-MAC, HMAC, XOR-MAC, CBC-MAC, DMAC, Luby- 
Rackoff, MDC, ANSI X9.17 appendix C, PGP's RandPool, PBKDFl and PBKDF2 from PKCS 
#5, 

1 0, (Original) The cryptographic key server as recited in Claim 1 , wherein said 
cryptographic service engine is operable to perform signing and verifying functions. 
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11. (OrigirisQ) The cryptographic key server asrrebited ih Claim 10, wherein said 
signing and verifying operations includes RSA and DSA. 

12. (Original) The cryptographic key server as recited in Claim 1 wherein said 
cryptographic service engine is operable to perform hashing operations. 

13. (Original) 'Hie cryptographic key se]^^ as recited in Cljaim IQj wherein said 
hashing operations includes HMAG with SMArl. 

14. (Original) TTie cryptographic key server as recited in Claim .1 wherem said 
cryptographic service engine is further operable to authenticate and to'determihe 

a request for cryptographic services prior to and as a condition of^ performing said crypto^ 
services. 

1 5 . (Original) The cryptographic key server as recited in Claim 1 4, wherein , 
authenticating a request for cryptograpMc services includes^y 

of a set comprising: 

a client that is requesting for cryptographic; servipps; 

said at least one remote device from which said client requesting for. c^ 
services; 

a function or program that is executing on said at least one. remote device. 

1 6. (Original) The cryptographic key server as recitdd in Claim: W, wherein 
determining authorization of a request for cryptographic services includes determining 
authorization privileges granted to one or more of a set comprising: 

a client that is requesting for ciyptographic services; 

said at least one remote device from which said client requesting; for cryptographic 
services; 

a function or program that is executing on said at least one. remote device. 
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1 7, (Original) The cryptographic key server as recited in Claim 16, wherein the 
operation of determining authorization a request for cryptographic services further includes 
determining whether said request for cryptographic ser\qces is within the privileges of a 
requestor that is associated with said request for erj^tographic seryices; 

1 8, (Original) The cryptographic key server as^recited in Claim: 1,. wherein said 
cryptographic service engine Js pf^raBle to track requests for cryptographie;scryiees: 

19, (Original) The cryptographic key server as recited in Claim 1, said 
cryptographic key server fiirther comprising: 

a private key engine, said private key engine operable to provide private keys for use by 
said cryptographic service engine in performing cryptographic services. 

20, (Original) The cryptographic key server as recited in Claim 1 wherein said 
cryptographic key server is a network security appliance. 

2 1 , (Original) The cryptographic key server as recited in Claim 1 , wherein siid 
cryptographic key server has a computer hardware architecture supporting/said cryptographic 
service engine and said secure network interface engine^ siaid conipufer hardware af^ 
comprising: 

adatabus; 

a tentrial processing unit bi-directionally coupled to said databiis; 
a persistent storage device bi-directionally coupled to said databus; 
a transient storage device bi-directionally coupled to said databus; 
a network I/O device bi-directionally coupled to said databus; 
a cryptographic accelerator card bi-directionally coupled to said databus; 
a hardware security module bi-directionally coupled to said databus and suitable for 
storing private keys; and 

a smart card interface device. 
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22. (Original) The cryptographic key server as recited in Claiin 2:1 , wherein said 
hardware security module is a tamper resistant device. 

23. (Original) The cryptographic key server as recited in Claim 21, wherein said 
private keys are loaded into said hardware security modiule arid stored in. an encrypted format. 

24. (OriginaJ) The cryptogr^hic key server as re^^ 21 , wherein said 
private keys are loaded into said hardware secitfity modulc^^ v storing said 
encrypted private keys. 

25. (Original) The cryptographic key server as redted m Glaiim 24, wherein said 
cryptographic key server supports a k-out-of-n secret sharing such that said private keys may 
only be accessed by said cryptographic key server after k smart cards have been inserted. 

26. (Currently Amended) A cryptographic key server suitable for providing 
cryptographic services to remote devices coupled to said cryptographic key server via a network, 
said cryptographic key server comprising: 

a cryptographic accelerator card bi-directionally cou{^led tp a databus; 
a smart card interface device: and 

a hardware security module bi-directionally coupled to said datal)us and suitable for 
secure data; and 

md-wheriein said secure data is accessible only when k-out-df-n smart cards are inserted ' 
into said smart card interface device , and wherein the cryptographic key server prevents access 
to said hardware security module bv at least one remote device . 

27. (Original) An application server capable of hosting a plurality of applications, 
said application server operable for providing services to a pliirality of clients via a network, said 
application server comprising: 

a cryptographic application progreim interface (API), said cryptogr^hic, API providing a 
set of standards by which said plurality of applications can invoke a pluraility of cryptographic 
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services, at least one of said plurality of cryptographic services being performed by a remote, 
cryptographic key server; and 

a secure netv^ork interface engine, said secure network interface engine operable to 
establish a seciire network communication channel with the remote cryptographic key server, 

28. (Original) The application server as recited in Claim 27, whereiin said 
cryptographic API is operable to utilize said secure network interface, engine to reqiicst renipte 
cryptographic services. 

(Original) This application server as recited in Claim 27, wherein said 
API is exposed als Java Cryptography Extensions (JCE) to said plurality of 

30. (Original) The application server as recited in Claim 27, wherein said 
cryptographic API is exposed via Cryptographic/Service Provider (CSP) and said cryptographic 
API is implemented as a Dynamic Linked Library. 

3 1 . (Original) The application server as recited in Claim 27, wherein said 
cryptographic API is exposed via MS-CAPL 

32. (Original) A device capable; of executing a plurality of functions and programs, 
said device comprising: 

a secure network interface engine executing on said device, said secure network interface 
engine operable to establish a secure network communication channesl with at least one remote 
cryptographic key server, marshal and transmit secure requests for cryptographic services to said 
al least one remote cryptographic key server, and receive and unmarshal secure responses to 
requests for cryptographic services; and 

a cryptographic application program interface (API) executing on said device and bi- 
directionally coupled with said secure network interface engine, said cryptographic API 
providing a set of standards by which said plurality of functions and programs can call a 



29. 

cryptographic 
applications. 
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corresponding plurality of eiyptbgraphic services^ wherjeih iat least one of said plurality of 
cryptographic services is performed.remotely by saifi at least one cryptographic key server, said 
cryptographic API being responsive to a request for S2dd at least one reniote cryptographic 
service to utilize the secure network interface, engine to request said cryptographic services. 

33. (Currently Amended) A computer-impleniented'niethod for providing 
cryptographic key services, said method comprising thcvacts of: 

establishing a set.of private keys on a networked key server;: 

establishing a secure network communications channel between a networked device and 
said networked key server; 

receiving a request for cryptographic key services at said hetworked key server fironi smd 
networked device via said secure network communications channel; 

authenticating said request for cryptographic key services; 

determining authorization said request for cryptographic key services; 

performing said reqiiest for cryptographic key services at said networked key server 
utilizing said private keys when said request is authorized ; and 

preventing access to the private keys bv the networked device . 

34. (Original) The computer-implemented method for providing cryptographic key 
services as recited in Claim 33, wherein said act of establishing private keys on a, networked 
server includes the. act of encrypting said set of private keys. 

35. (Original) The computer-implemented method for providing cryptographic key 
services as recited in Claim 33, wherein said act of encrypting said.set of private keys is done 
using a k-but-of-n secret sharing technique. 

36. (Original) The computer-implemented method for providing cryptographic key 
services as recited in Claim 33, wherein said act of establishing ia secure network 
conmiunications channel includes use of a SSL protocol. 
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37. (Original) The computeMmpIeinented method for providing cryptographic key 
services as recited in Claim 33, wherein said act of establishing a secure network 
conununications channel includes use of a TLS protocol . 

38. (Original) ITie computer -iniplemented method for providing cryptbgraphic key 
services as recited in Claim 33» wherein said act of authenticating said request includes the act of 
authenticating an identity of one or more of a. set comprising: 

a client that is requesting for cryptographic services; 

said networked device from which said client is requesting for cryptographic services; 

and 

a function or program that is executing on said networked device. 

39. (Original) The computer-implemented method for providing cryptographic key 
services as recited in Claim i33, wherein said act of determining authorization said request 
includes the act of determining authorization privileges granted to one or more of a set 
comprising: 

a client that, is requesting for cryptographic services; 

said networked device frdm-which said Client is requesting for cryptographic services; 

and 

a function or program that is executing on said networked device. 

40. (Original) The computer-unplemented method as recited in Cliaim 38, wherein 
the act of determining authorization said request includes the act of determining whether said 
request is within rights of a requestor that is associated with said request for cryptographic 
services. 

4 1 . (Original) The computer-implemented niethod as recited iii Claim "33, further 
comprising the act of tracking all reques;ts for cryptographic services. 
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42. (Original) A computer-implemented method. for providing networked 
cryptographic key services, said method comprising the acts df: 

integrating a cryptographic API within ah application server; 

exposing cryptographic ser\'ices to a plurality of applicatipns executing on said 
application server Via said cryptographic API; 

establishing a secure network communications channel between ^d application server 
and a remote cryptographic key- server; 

receiving a request ior ciyptographic services from m applieatiOh> 

API; 

marshalling said request for cryptographic services for tnuismission to said cryptographic 
key server; 

transmitting said marshaled request for cryptographic services to said cryptographic key 
server via said secure network communications channel; 

receiving aresponise to said request via said secure network cpmniimications channel; 
unmarshalling said response;, and 

providing a usable response to said rieiquesting application via said cryptographic API. 

43. (Currently Amended) A method for securing cryptographic keys within a 
server system, the method comprising the computer-implemented acts of: 

storing on a key server cryptographic keys used for encrypting data; and 

wherein said key server communicates with at least one. component of said server system 

using a secure communications chaime U and, wherein said key server prevents access to the 

stored cryptographic keys by at least one remote device. 

44. (Currently Amended) A method for securing cryptographic keys within a 
network system, the method comprising the computer-implemented acts of: 

storing cryptographic keys used for encrypting data on a key server, and 
wherein said key server is a dedicated network appliance that performs cryptographic 
operations on behalf of at least one component of said network system , and wherein said key 
server prevents access to the stored cryptographic keys by at least one remote device . 
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45 . (Original) ITie method as re cited in Claim 44, wherein said ciy ptographic 
operations include operations under a Secure Socket Layer (SSL) protocol. 

46. (Original) The method as re cited in Claim 44,- wherein said crypfog;raphic 
operations include operations under a Ttansport Layer Security (TLS) protocol. 

47. (Original) The method as re cited in Claim 44, wherein sensitive data/is stored in 
said network system only in encrypted form. 

48. (Original) A cryptographic key server appliance for securing cryptographic 
keys within a network system, wherein said cryptographic key server stores cryptographic kieys 
and controls access to said stored cryptographic keys. 

49. (Original) The cryptographic key server appliance as recited in Claim 48, 
wherein said access includes using at least one of said stored cryptographic keys^solely for 
encryption operations. 

50. (Original) The cryptographic key server appliance as recited in: Claim 48, 
wherein said access includes using at least one of said stored cryptographic keys solely for 
decryption operations. 

51 . (Original) A cryptographic appliance for securing sensitive information within 
a server system, comprising: 

a data communications bus; 

a central processing unit bi-directionally coupled to said data communications bus; 
transient memory bi-directionally coupled to said, data communications bus; persistent memory 
bi-directionally coupled to said data conununications bus; 

a network I/O device bi-directionally coupled to said data communications bus; 

a cryptOTaccelcrator unit bi-directionally coupled to said data communications bus; 
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a hardware security module; and 

a smart card interface coupled to said data communications bus. 

52. (Qurrently Amended) A computer-implemented method for proyiding . 
cryptographic services- in a network system, said cbmputer-iihjilemehted process comprising the 
acts of: securely loading crypitpgraphic keys ontb a, key server; 

establishing secure transport session between a first component of said network system 
and said key server; 

authenticating one or more components of said network including said first coinponent to 
said key server; 

determining authorization of said one or more ciomppnents of said rietwbrk^,^^^^^^ said 
first component to said key server; 

making a request for cryptographic operations from said first component to said key 

server; 

determining whether said request is to be performed by said key server based on results, 
associated with the acts of authenticating and determining authorization; 

if said request is authorized, then perfbrming said requested ciyptpgraphic operatipns on 
said key server; md 

providing the results of said requested cryptographic operations^^^^ key iserver to 

said first component via said secure transport sessio n: and 

preventing access bv said first component to at least one crvptbgfaphic key iiscd by said 
key server to perform said requested cryptographic operations . 

53. (Original) A method for protecting data in a network system j Said;computcr- 
implemented method comprising the acts of: 

providing a network device for intercepting and inspecting data that is en route to an 
application server, wherein said network device is part of a pre-defined gtoup of cryptographic 
servers that share a group key and said network device is operable for: 
determining whether said data is sensitive data; 
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encrypUhg said data to fbm data is sensitive, wherein the 

act of encrypting includes using a, group key that is: shared by said pre-defined group of 
cryptographic servers; and 

forwarding said encrypted data to said application server; 
storing said encrypted data in ^ storage inediurn assoda^^^ wilH^smd>ap^^^^ server; 

and 

allowing one or more back-end application servers to emptoy one of said pre-defined 
group of cryptographic servers to retrieye isaid enciypted data fi^^ storage mediuin aiid 
decrypt said encrypted data if said one or more back-end application servers is authorizedfto 
access said data. 

54. Canceled 

55. Canceled 

56. Canceled 

57. Canceled 

58. Canceled 

59. Canceled 

60. (Currently Amended) A computer implemented method for providing 
cryptographic services, for an application server, the computer implemehted.prpeess comprising: 

securely loading tiie cryptographic keys onto a key server; 

establishinjg a secure transport session between the.application server arid the key server; 
authenticating the application server to. the key server; 

making a request for cryptographic operations from the application server to the key 

server; 
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performing, at the key server, cryptographic operations on data managed by the 
application server; 

providing the results of the requested cryptographic operations from the key server to the 
application server via the secure transport session : and 

preventing access by the application server to at least one cryptographic key used by the 
key server to perform thexrvptbgfaphic operations . 

61 . (Previously Presented) The method ais recited in claim 60; wherein ijie secure, 
transport session is established by using a SSL protocol 

62. (Previously Presented) The method as recited in claim 60, wherein the secure 
transport session is estabhshed by using a TSL protocol 

63 . (Previously Presented) The method as recited iri claim 60, further comprising: 
marshaling the request from the application server to the key server. 

64. (Previously Presented) ITie method as recited in claim 60, further comprising: 
im-marshaling the results of the requested cryptographic operations from the key server 

to the application server. 

65. (New) The cryptographic, key server as . recited in claim 1, wherein said "at least 
one key is generated and storfed on said cryptographic key server without being transmitted 
across said network. 

66. (New) The cryptographic key server as recited in claim 1 , wherein said at least 
one key is a symmetric key generated and stored on said cryptographic key server without being 
transmitted across said network. 
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